What litigation tells us about the dangers of IP theft

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Former British Prime Minister Neville Chamberlain famously said "In war, there are no winners. Only losers." The same can be said of intellectual property (IP) lawsuits involving departing employees, since outside of lawyers and third-party forensic companies who thrive on a robust caseload these disputes waste too much energy and money accomplishing what reasonably diligent measures could have prevented in the first place.

While many companies are now stepping up security measures to better identify and protect their IP, still too many companies and employees fail to grasp the seriousness of protecting IP (and the repercussions that often flow from failing to do so).

[ALSO:The fierce battle over intellectual property]

According to a recent study commissioned by Symantec (see "What's Yours is Mine: How Employees Are Putting Your Intellectual Property At Risk", half of all departing employees retain confidential company files following their termination. Having access to confidential files obviously increases the odds that, when that employee finds a new job, they will access, disclose, or use such information.

Here are some recent trends in litigation involving mobile employees and some suggestions for both employers and employees to help minimize the cost and distraction that stem from IP theft by the departing employee.

Times have changed, but common practices have not

Before the adoption of PCs and e-mail, IP was easier to track and contain. Early trade secret lawsuits often involved the theft of hand-written customer lists, secret recipes, or old-school engineering notebooks. Nowadays, of course, most companies store digital versions of their sensitive business information, yet few companies have adopted internal security measures that effectively monitor and control their employee's access to such information, and even fewer implement restrictions on an employee's ability to copy or otherwise move confidential information offline.

Nowadays, employees regularly create confidential business information on their home computers or other personal devices, and store such information in every manner imaginable (personal email accounts, smartphones, tablets, online storage/cloud accounts, USB flash drives or external hard drives, memory cards, DVDs, etc.). According to the Symantec survey, more than half of employees feel it's acceptable to move corporate data to personal devices, email accounts and cloud services without prior company approval. While having constant and seamless access to confidential work files no doubt increases productivity, the increased commingling of company and personal information on these devices only further increases the odds that a departing employee will fail to return all company information upon separation.

With the seemingly never-ending invention of new methods to store/transfer files, and more and more employees working from home, companies are losing track of their valuable trade secrets. The departing employee often equipped with a 3TB external HD or even sneakier 64GB flash drive poses a significant risk for those companies who have lost control of their own IP. And companies who conduct a high-level exit interview during which they collect laptops and keycards before reiterating that departing employees are required to return company property and are prohibited from using/disclosing confidential information IP are essentially sanctioning the theft of their most valuable company assets.

Common scenarios

Recent IP lawsuits highlight typical behavior of employees who leave to work for a competitor:

* The Back-Up Plan. A management-level employee with a heavy-travel schedule has a company-issued laptop. She stores all of her company confidential information on this device along with a significant amount of her valuable personal files (photos, iTunes, etc.). She also doesn't trust the company's back-up procedures, having once lost a significant amount of her own work product due to a virus, and so has been routinely (and secretly) backing up her entire hard drive every three months. While she returns her laptop to the company during her exit interview, she makes no mention of the recent back-up she stores at home.

* The Proud Artist. A software architect pours his heart and soul into code he's been writing and de-bugging for the past year. Like an artist commissioned to paint a private portrait, this employee is proud of his work, which enabled his employer to launch its product months ahead of schedule. Although he signed, and claims to understand, the Inventions Assignment Agreement that was part of his offer package, he honestly believes this source code belongs to him because he wrote it. For this reason, as he cleans up his workstation the day before announcing his resignation, he accesses the server and copies the code he will one day proudly share with his children.

* The Shifty Sales Guy. A senior account executive for a major bank has been shaking hands and building a massive network of high net worth individuals since getting his MBA 20 years ago. What started as a binder of business cards has evolved into an Outlook contacts file (.pst) with more than 4,000 entries. Without a second thought, the newly hired senior account executive loads his entire file onto the company's network the first week on the job. Over the course of the next five years, he constantly adds to this database including contact information for prospects and leads sourced by the company's lower-level sales team. Often, in addition to name, address, and contact information, he adds key client information, including net worth, investment preferences, and the type of whiskey the client prefers during the holidays. Like he did when he left his prior job and without permission and without notifying the company the senior account executive copies his entire .pst file before tendering his resignation because, in his mind, these contacts belong to him. If pressed, he'll explain that all of his relatives' birthdays are stored in this .pst file and that's why deserves to take it with him.

These employees each took information their employer considered trade secret. But they are unlikely to inform a new employer of this conduct because doing so would necessarily admit a violation of the employer's terms and conditions (and may even lead to termination). That's because smart companies require new hires, as a condition of employment, to not only abide by all continuing obligations to any former employer, but also to refrain from bringing such information to their new job. Nevertheless, Symantec found that 56% of employees feel it isn't wrong to take and use a competitor's confidential information.

What steps could the former employer have taken to minimize the risk that employees will take confidential files with them, as the majority of mobile employees feel it is acceptable to do? And because the new employer will likely be liable for any trade secret misuse or disclosure by the new hire, what steps can the new employer take to mitigate the risk of expensive IP litigation? And finally, what steps should the mobile employee take to ensure their potential exposure is minimized?

Tips for the employer (old and new)

Organizations fully intent on deterring insider theft should employ a dedicated team of HR, security and legal professionals who collectively create policies, drive training and monitor employees. Employees within these organizations will come to understand, over time, that stealing trade secret information is not only wrong but has serious consequences.

Effective policies and procedures must span the entire employment relationship. During recruiting, companies should ensure that they are not targeting competitor's employees with the hopes of gaining access to competitive IP. Employees conducting interviews should be cognizant not to request trade secret information during the interview, and candidates should be clear that they must refrain from sharing any non-public information from their current employer.

New hire documentation should not only include a standard NDA, but offers of employment themselves can be made contingent on a former employer's promise that he has complied with all lawful obligations to a former employer (including the obligation to return all company property and trade secret information, wherever it may reside).

Given the ease of copying/transferring files enabled by today's technology, some companies are starting to implement policies that strictly limit the use of personal devices (including personal email, smartphones and external storage devices) to conduct company business. For those companies that permit employees to use personal devices for company business, BYOD (bring your own device) policies are necessary to ensure the protection of company IP that becomes intermingled with personal files/devices.

To claim IP protection, the law requires that companies implement reasonable measures to ensure the secrecy of their trade secret data. In addition to strict NDAs, implementing password security measures, limiting access to confidential files on a need-to-know basis, and following physical security measures (visitor sign-in sheets, secure room for storing confidential files, etc.) are advisable procedures.

Just as companies routinely train their employees on their discrimination and harassment policies, so should companies continuously train their employees on the importance of protecting intellectual property. Employees often struggle to determine what information is actually confidential vs. information that is considered general knowledge and skills (which they are free to use after they leave). Training, therefore, should aim to help the employees identify the company's core intellectual property (i.e., a secret manufacturing process, an innovative pricing methodology, a detailed prospect list, etc.).

But organizations need more than policies and training to effectively combat the alarming trends revealed by the Symantec study. Companies should also implement tools, such as data loss prevention (DLP), to detect and help prevent IP theft. Once a company identifies its core IP and implements a DLP solution, it can monitor the use of confidential data on desktops, laptops and mobile devices, and also record unusual data access patterns particularly when large volumes of data are accessed and/or copied.

An effective DLP solution can also detect unauthorized backups or transfers of IP to external devices or applications such as cloud services. Control should extend to .pst files, and administrators can enable features to effectively block IP transfers to unauthorized destinations.

Just as companies employ security software to warn employees engaging in dangerous browsing habits (think pop-up that asks, "Are you sure you want to open this infected file?"), employers can use DLP software to warn employees whose behavior runs afoul of company IP policy. Employers can also use monitoring tools to notify managers in the event of unauthorized IP copying, which behavior is more prevalent in employees who've already decided to take another job.

Stricter monitoring of access to and copying of sensitive IP may seem excessive at first, but real-time enforcement is a far more efficient way to prevent IP theft before it occurs and, generally speaking, is a more cost-effective way to protect IP than the usual practice of examining an employee's computer usage after the employee has already departed. As Frederick Taylor discovered long ago in his organizational studies, employees who know (or at least think) their behavior is being actively monitored are less likely to act contrary to company policy.

[TEST:DLP delivers strong endpoint protection]

A detailed exit interview is also an important tool to deter IP theft. Prior to an exit interview, companies can use the monitoring solution to run a report for HR that reveals any unauthorized actions by the departing employee and identifies any data or devices that should be returned. With this information already in hand, an employee's credibility (and risk factor) should be easy to gauge during the exit interview.

The exit interview is yet another opportunity to review continuing obligations with the departing employee, ensuring they have a clear understanding of what the company considers to be its valuable trade secret information. HR should provide clear, specific direction on property that employees must return not just laptops and smartphones, but also USB drives and other devices that the company has already identified as having been connected to company machines (and which is likely to also contain company IP).

While these steps may seem Orwellian at first, they are designed to detect and prevent IP theft (and actual damage) before it occurs. Moreover, the costs of implementing these steps generally pale in comparison to the significant resources companies already spend on post-termination forensic analysis and litigation necessary to recover damages which could have easily been prevented.

Tips for the mobile employee

First and foremost, employees need to grasp the significance of protecting IP and take responsibility for their own actions. That is particularly true when their employer has failed to implement any IP security measures. Where the employer has implemented a solid DLP solution, however, employees should understand that their behavior regarding copying or emailing IP are traceable, and they should act accordingly.

Certainly, not all information learned on the job is a protectable trade secret, and the law protects an employee's right to use all of the general knowledge, skills and experience she's learned throughout her career. When the line between trade secrets and general knowledge is blurry, employees should error on the side of caution and ask either their current or former employer for guidance.

Because taking company property is theft, even employees who were never required to sign detailed NDAs must still return company property upon their termination. While federal law is still evolving on this subject, many states interpret the Computer Fraud and Abuse Act as prohibiting an employee from accessing company computers for the purpose of copying files for use in their next endeavor.

That same law also prohibits the destruction of company information, and so departing employees should be careful to identify all devices and accounts they have ever used to conduct company business (and which are likely to contain company IP) and engage in an iterative process with the employer to ensure these devices are cleansed, and information is returned, to the employer's satisfaction. Taking matters into your own hands, whether through simply deleting company files or by using evidence destruction software, often makes matters worse once the employer discovers the use of sector over-writing software (which gives rise to all sorts of justifiable negative inferences).

An employee who affirmatively flags the importance of returning company property, and cleansing personal devices/accounts, during the exit process will likely garner goodwill from an employer whose information is being protected.

As much as we worry about hackers and industrial espionage in business today, we do not pay enough attention to the danger our own employees can pose to our IP. As the Symantec study demonstrated, changing jobs provides the perfect incentive and opportunity for employees to take liberties with company trade secrets. By implementing a combination of IP protection policies, continuing education, and contemporaneous monitoring tools businesses can better protect their trade secret information before it walks out the door.

Given the increasing costs of forensic analysis and IP litigation, along with the significant damage that can occur when trade secrets are actually stolen and used to compete unfairly, the costs of implementing such a comprehensive IP protection program are well spent in today's war for information.

Dave Burtt is the founder of Mobility Legal P.C., and Donald Closser is the vice president, data loss prevention, at Symantec.

Read more about infrastructure management in Network World's Infrastructure Management section.

Join the CSO newsletter!

Error: Please check your email address.

Tags managementIDSsymantecNetworkingsecurityinfrastructure managementIPSintel

More about DLPSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dave Burtt and Donald Closser

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place